aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_dispatch/middleware/cookies.rb
Commit message (Collapse)AuthorAgeFilesLines
* `secret_token` is now saved in `Rails.application.secrets.secret_token`Benjamin Fleischer2014-11-021-4/+4
| | | | | | | | | | | | | | | | | | | | | | - `secrets.secret_token` is now used in all places `config.secret_token` was - `secrets.secret_token`, when not present in `config/secrets.yml`, now falls back to the value of `config.secret_token` - when `secrets.secret_token` is set, it over-writes `config.secret_token` so they are the same (for backwards-compatibility) - Update docs to reference app.secrets in all places - Remove references to `config.secret_token`, `config.secret_key_base` - Warn that missing secret_key_base is deprecated - Add tests for secret_token, key_generator, and message_verifier - the legacy key generator is used with the message verifier when secrets.secret_key_base is blank and secret_token is set - app.key_generator raises when neither secrets.secret_key_base nor secret_token are set - app.env_config raises when neither secrets.secret_key_base nor secret_token are set - Add changelog Run focused tests via ruby -w -Itest test/application/configuration_test.rb -n '/secret_|key_/'
* Use AS::JSON for (de)serializing cookiesGodfrey Chan2014-08-171-2/+3
| | | | | | | | Use the Active Support JSON encoder for cookie jars using the `:json` or `:hybrid` serializer. This allows you to serialize custom Ruby objects into cookies by defining the `#as_json` hook on such objects. Fixes #16520.
* Merge pull request #16467 from strzalek/cookies-digest-config-option2Godfrey Chan2014-08-171-3/+9
|\ | | | | | | | | | | | | | | Cookies digest config option (pt. 2) Conflicts: actionpack/CHANGELOG.md actionpack/lib/action_dispatch/middleware/cookies.rb
| * Add config option for cookies digestŁukasz Strzałkowski2014-08-121-3/+9
| | | | | | | | | | | | You can now configure custom digest for cookies in the same way as `serializer`: config.action_dispatch.cookies_digest = 'SHA256'
* | Remove redundant NullSerializerŁukasz Strzałkowski2014-08-131-16/+7
|/ | | | Use one from ActiveSupport::MessageEncryptor module.
* Use `#bytesize` instead of `#size` when checking for cookie overflowAgis-2014-07-111-2/+2
| | | | | | | | | | Although the cookie values happens to be ASCII strings because they are Base64 encoded, it is semantically incorrect to check for the number of the characters in the cookie, when we actually want to check for the number of the bytes it consists of. Furthermore it is unecessary coupling with the current implementation that uses Base64 for encoding the values.
* Fix weird comment. [CI SKIP]Guo Xiang Tan2014-07-091-2/+2
|
* Fixed an issue with migrating legacy json cookies.Godfrey Chan2014-04-231-2/+2
| | | | | | | | | | | | | Previously, the `VerifyAndUpgradeLegacySignedMessage` assumes all incoming cookies are marshal-encoded. This is not the case when `secret_token` is used in conjunction with the `:json` or `:hybrid` serializer. In those case, when upgrading to use `secret_key_base`, this would cause a `TypeError: incompatible marshal file format` and a 500 error for the user. Fixes #14774. *Godfrey Chan*
* only write the jar if the response isn't committedAaron Patterson2014-03-121-5/+16
| | | | | | | | | | | when streaming responses, we need to make sure the cookie jar is written to the headers before returning up the stack. This commit introduces a new method on the response object that writes the cookie jar to the headers as the response is committed. The middleware and test framework will not write the cookie headers if the response has already been committed. fixes #14352
* :scissors:Zachary Scott2014-02-231-1/+1
| | | | This commit also addresses rails/docrails#169 and rails/rails#14159
* rm warning about variable shadowingGodfrey Chan2014-02-111-2/+2
|
* Migrate hash-based cookie values correctlyGodfrey Chan2014-02-111-2/+4
|
* Re-write legacy (marshal) cookies on readGodfrey Chan2014-02-111-20/+40
|
* Added HybridSerializer to upgrade existing marshal cookies (wip: need tests)Godfrey Chan2014-02-111-0/+14
|
* Renamed session_serializer option to cookies_serializerGodfrey Chan2014-02-111-15/+30
|
* Updated the cookie docs to use the safer JSON.{generate,parse}Godfrey Chan2014-02-081-5/+5
| | | | cc @senny
* Rely on backticks instead of tt tags [ci skip]Robin Dupret2014-02-081-2/+2
| | | | | Since the language in code blocks is inferred, if the code contains tt tags, the block will be parsed as XML for instance while it is Ruby.
* docs, Cookie values are String based. Closes #12860. [ci skip]Yves Senn2014-02-081-7/+7
|
* Modify the session serializer implementationGuillermo Iguaran2014-01-301-3/+5
| | | | | Rename allowed options to :marshal and :json, for custom serializers only allow the use of custom classes.
* Allow session serializer key in config.session_storeLukasz Sarnacki2014-01-291-2/+14
| | | | | | | | | | | | | MessageEncryptor has :serializer option, where any serializer object can be passed. This commit make it possible to set this serializer from configuration level. There are predefined serializers (:marshal_serializer, :json_serialzier) and custom serializer can be passed as String, Symbol (camelized and constantized in ActionDispatch::Session namepspace) or serializer object. Default :json_serializer was also added to generators to provide secure defalt.
* Update secret_key_base Docsrobertomiranda2013-12-151-8/+8
|
* Missing closing + in documentation [ci skip]Edho Arief2013-07-041-1/+1
|
* Grammar nazi at work [ci skip]Paweł Gościcki2013-06-121-1/+1
|
* Merge pull request #10061 from trevorturk/dummy-key-generator-renameSantiago Pastorino2013-04-021-1/+1
|\ | | | | Rename DummyKeyGenerator -> LegacyKeyGenerator
| * Rename DummyKeyGenerator -> LegacyKeyGeneratorTrevor Turk2013-04-021-1/+1
| |
* | :scissors: spacing after privateTrevor Turk2013-04-021-3/+0
| |
* | Be consistent when talking about cookies, key -> nameTrevor Turk2013-04-021-25/+25
| |
* | Fix permanent cookie jar accessor typoTrevor Turk2013-04-021-1/+1
|/
* Allow transparent upgrading of legacy signed cookies to encrypted cookies; ↵Trevor Turk2013-03-281-38/+77
| | | | Automatically configure cookie-based sessions to use the best cookie jar given the app's config
* if cookie is tampered with then nil is returned [ci skip]Neeraj Singh2013-03-251-4/+2
| | | | | | if the given key is not found then verifier does raise `ActiveSupport::MessageVerifier::InvalidSignature` exception but this exception is resuced and finally nil is returned.
* Introduce UpgradeLegacySignedCookieJar to transparently upgrade existing ↵Trevor Turk2013-03-241-99/+99
| | | | signed cookies generated by Rails 3 to avoid invalidating them when upgrading to Rails 4
* Merge branch 'master' of github.com:lifo/docrailsVijay Dev2013-02-261-1/+1
|\
| * improve grammar describing ActionDispatch::Cookies::CookieJar#deleteWeston Platter2013-02-191-1/+1
| |
| * improve grammar describing ActionDispatch::Cookies::CookieJar#deleteWeston Platter2013-02-191-1/+1
| |
* | InvalidMessage is in ActiveSupport::MessageEncryptor namespaceSantiago Pastorino2013-02-191-1/+1
|/ | | | Closes #9302
* Add missing require to APCarlos Antonio da Silva2013-02-081-0/+1
|
* Fix #9168 Initialize NullCookieJar with all options needed for KeyGeneratorAndrey Chernih2013-02-081-4/+8
|
* add fetch to CookieJarAaron Patterson2013-01-271-0/+4
|
* Change `Example for` to `Example of`lambda_2013-01-031-2/+2
|
* Define [], []=, permanent, signed and encrypted as the only allowed methods ↵Santiago Pastorino2012-12-301-9/+57
| | | | for the non Raw Cookie classes
* Add UpgradeSignatureToEncryptionCookieStoreSantiago Pastorino2012-11-161-2/+8
| | | | | | This allows easy upgrading from the old signed Cookie Store <= 3.2 or the deprecated one in 4.0 (the ones that doesn't use key derivation) to the new one that signs using key derivation
* Disallow ability to use EncryptedCookieJar with DummyKeyGeneratorSantiago Pastorino2012-11-031-0/+5
| | | | | Developers must set config.secret_key_base in config/initializers/secret_token.rb
* Rename secret_token_key to secret_key_baseSantiago Pastorino2012-11-031-3/+3
|
* Move ensure_secret_secure to DummyKeyGeneratorSantiago Pastorino2012-11-031-24/+0
|
* Allow users to change the default salt if they want, shouldn't be necessarySantiago Pastorino2012-11-031-11/+22
|
* Add cookie.encrypted which returns an EncryptedCookieJarSantiago Pastorino2012-11-031-0/+48
| | | | | | | | | How to use it? cookies.encrypted[:discount] = 45 => Set-Cookie: discount=ZS9ZZ1R4cG1pcUJ1bm80anhQang3dz09LS1mbDZDSU5scGdOT3ltQ2dTdlhSdWpRPT0%3D--ab54663c9f4e3bc340c790d6d2b71e92f5b60315; path=/ cookies.encrypted[:discount] => 45
* Sign cookies using key deriverSantiago Pastorino2012-11-031-15/+19
|
* 1.9 hash syntax changes to docsAvnerCohen2012-10-311-7/+7
|
* load active_support/core_ext/object/blank in active_support/railsXavier Noria2012-08-021-1/+0
|
* adds a missing require from Active SupportXavier Noria2012-07-281-0/+1
| | | | This file uses mattr_accessor.